Deployment Architecture
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Data Replication/Cloning for HA architectures

Damien_Dallimor
Ultra Champion
‎07-27-2011 04:00 AM

Using Splunk functionality, I see that you can enable data cloning/replication either by:

a) configuring a forwarder to load balance over indexers in a primary cluster and also clone data to a indexers in a mirrored cluster

b) configuring the primary indexer cluster to replicate data to a mirrored indexer cluster

On the surface of things, I can't really see any glaringly major differences in either approach.

Any advice on the recommended approach would be appreciated.

DD.

Reply

mahamed_splunk
Splunk Employee
Splunk Employee
‎02-20-2013 03:22 PM

As of Splunk 5.0, the recommended approach is Index Replication.

More info

http://docs.splunk.com/Documentation/Splunk/5.0/Indexer/Aboutclusters

0 Karma
Reply

Glenn
Builder
‎10-13-2011 05:38 AM

Benefits of B:

  • It ensures that datasets on primary and mirrored indexers are identical (if one indexer goes down in cloning situation, it may miss events while the other continues to accept them).
  • Moves extra resource usage (network traffic, cpu cycles) due to dealing with HA from the forwarder (where you probably don't want to interfere with your apps' performance) to the indexer.
  • You have the option to tweak what is and isn't forwarded between the primary and mirrored indexers if you want to for some reason. Option A is just a blind clone.
  • Probably some other reasons I don't know about! I know for a fact that HA using autoLB on forwarders and then forwarding data from the indexer(s) is now the official recommendation over the old recommendation of using cloning on the forwarders (according to our Splunk consultants and workshops at a SplunkLive event).
0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

Hello Splunkers,  We’re excited to kick off a Splunk Dashboard contest! We know that dashboards are a primary ...

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...